TROJ_FEBUSER.AA

This malware is related to the malicious link spammed via Facebook that allegedly points to a video recording of a young woman committing suicide on camera. When executed it drops malicious files and installs bogus browser plugins detected as JS_FEBUSER.AA.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan may arrive on a system by clicking spammed malicious links on the social networking site Facebook.

Arrival Details

This Trojan may be downloaded from the following remote site(s):

• http://s3-sa-east-1.{BLOCKED}aws.com/iframesu/ch.html

It may arrive on a system by clicking spammed malicious links on the social networking site Facebook.

Installation

This Trojan drops the following component file(s):

• %User Temp%\1.crx - detected as JS_FEBUSER.AA
• %User Temo%\2.xpi - detected as JS_FEBUSER.AA
• %User Temp%\fbinstupd.exe - also detected as TROJ_FEBUSER.AA
• %User Temp%\lkaseoihcaig.exe - also detected as TROJ_FEBUSER.AA

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following non-malicious file:

• %User Temp%\sqlite3.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

NOTES:
This malware installs the following extensions as Mozilla Service Pack 5.0 (for Mozilla Firefox)/Chrome Service Pack (for Google Chrome) to certain web browsers:

• 1.crx (for Google Chrome)
• 2.xpi (for Mozilla Firefox)

It connect to the following URL to update its stat counter:

• http://whos.{BLOCKED}g.us/widget/okinstallchi.pnh